A central part of Cerby’s platform is its ability to support various forms of multi-factor authentication in a team-shareable format. This section covers which forms of multi-factor authentication (MFA) Cerby supports and how Cerby prioritizes each form.
Supported forms of multi-factor authentication
Cerby supports four forms of MFA. They are as follows, ranked by most secure and preferred to least secure and preferred:
Machine-generated authentication codes: Six-digit authentication codes computed based on an authentication code (or One-Time Password) seed. Cerby computes these codes based on server time, ensuring they are always accurate.
Email-based authentication codes: Six-digit authentication codes distributed by the application account over email.
[Coming Soon] VOIP-based Authentication Codes: Six-digit authentication codes distributed by the application account over a VOIP-based phone number.
Phone-based authentication codes: The application account distributes six-digit authentication codes over a real, physical SIM-based phone number.
How to onboard MFA
As part of adding an account to your Cerby workspace, or clicking into the Configure section of each account, you have the ability to automatically onboard and offboard MFA for a managed app. For unmanaged apps, you must manually onboard and offboard MFA using Cerby’s mobile application.
Automated MFA onboarding and offboarding
You can automatically onboard MFA for managed applications in two locations:
During Add Account Process
Click on Add Account from the central Cerby dashboard.
Toggle on the Add a second layer of protection option. You are notified you via email when done.
In General Tab of the Account Configuration
Click on the More (...) option in the central Cerby dashboard for any Managed Application account tile.
In the General tab, toggle on and off the Add a second layer of protection. You are notified you via email when done.
Manual MFA onboarding and offboarding
For Unmanaged Applications, the end user must follow the app-specific instructions to configure MFA. Currently, Cerby only supports machine generated authentication codes. In order to onboard machine generated MFA, you must:
Add an account from the central Cerby dashboard.
Install the Cerby mobile application, log in to your account, and access the added account from within the Cerby mobile account listing view.
Click on the account in question and click on Scan Code on the following screen.
If the Unmanaged Application account does not support QR code scanning, click on "Can’t scan the QR code?"
In the following screen, enter the Authentication Code secret and click on Save Secret.
The machine-generated multi-factor option will now be available to all users of the account.
Configuring Autofill of MFA Codes
The Cerby platform provides three modes for insertion of authentication codes. They are:
Cerby challenge: By default, Cerby will issue an identity challenge to your Cerby mobile application each time you attempt to access an account’s authentication code for Managed Applications.
Autofill: Under the More (...) > General tab, you can toggle the Have Cerby Autofill the MFA option on and off. In this mode, Cerby will automatically insert the authentication code based on a valid session with your Identity Provider.
Manual insertion: If either option above fails, you can click on the Cerby icon within the Authentication Code field and manually insert the code by selecting the right account and field (e.g., Authentication Code) within the Cerby field manager menu.